goncalor/README.md

## README.md

      
    Raw
  

              README.md
            
          
    MSMQ Nmap service probe

⚠️ Disclaimer: testing of this probe is limited and the MSMQ protocol is proprietary and undocumented. Use this probe at your own risk. ⚠️
Nmap currently has no way to detect whether the service running on TCP port 1801 is Microsoft Message Queuing (MSMQ). The file msmq-service-probe here has been developed to give Nmap the capability to detect MSMQ. The objective is to help identify assets with MSMQ exposed, that may be vulnerable to CVE-2023-21554, aka QueueJumper.
This works by sending a MSMQ packet to port 1801 and checking if the response matches an expected fingerprint.
You can run this probe as follows:
nmap -Pn -n -v -p1801 -sV --versiondb msmq-service-probe 127.0.0.1

If the service running on the port is MSMQ, Nmap will output the following:
PORT     STATE SERVICE VERSION
1801/tcp open  msmq    Microsoft MQ

If the server is not MSMQ this is printed instead:
PORT     STATE SERVICE VERSION
1801/tcp open  msmq?


## msmq-service-probe
# Nmap service detection probe list -*- mode: fundamental; -*-
#
# This is a database of custom probes and expected responses that the
# Nmap Security Scanner ( https://nmap.org ) uses to
# identify what services (eg http, smtp, dns, etc.) are listening on
# open ports.  Contributions to this database are welcome.
# Instructions for obtaining and submitting service detection fingerprints can
# be found in the Nmap Network Scanning book and online at
# https://nmap.org/book/vscan-community.html
#
# For details on how Nmap version detection works, why it was added,
# the grammar of this file, and how to detect and contribute new
# services, see https://nmap.org/book/vscan.html.

Exclude T:9100-9107

##############################NEXT PROBE##############################
# Microsoft MQ probe
Probe TCP NULL q|\x10\0\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xd2\x29\x1d\x06\x10\x03\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|

ports 1801

match msmq m|^\x10\x5a\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa| p/Microsoft MQ/
# .*ZZZ$ should end the regex, but detection fails in some cases with this. Unsure why

totalwaitms 6000
	# Nmap service detection probe list -- mode: fundamental; --
	#
	# This is a database of custom probes and expected responses that the
	# Nmap Security Scanner ( https://nmap.org ) uses to
	# identify what services (eg http, smtp, dns, etc.) are listening on
	# open ports. Contributions to this database are welcome.
	# Instructions for obtaining and submitting service detection fingerprints can
	# be found in the Nmap Network Scanning book and online at
	# https://nmap.org/book/vscan-community.html
	#
	# For details on how Nmap version detection works, why it was added,
	# the grammar of this file, and how to detect and contribute new
	# services, see https://nmap.org/book/vscan.html.

	Exclude T:9100-9107

	##############################NEXT PROBE##############################
	# Microsoft MQ probe
	Probe TCP NULL q\|\x10\0\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xd2\x29\x1d\x06\x10\x03\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\|

	ports 1801

	match msmq m\|^\x10\x5a\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa\| p/Microsoft MQ/
	# .*ZZZ$ should end the regex, but detection fails in some cases with this. Unsure why

	totalwaitms 6000